Conference PaperPDF Available

Quantitative Safety Analysis of a Coordinated Emergency Brake Protocol for Vehicle Platoons


Abstract and Figures

In this paper, we present a general methodology to estimate safety related parameter values of cooperative cyber-physical system-of-systems. As a case study, we consider a vehicle platoon model equipped with a novel distributed protocol for coordinated emergency braking. The estimation methodology is based on learning-based testing; which is an approach to automated requirements testing that combines machine learning with model checking. Our methodology takes into account vehicle dynamics, control algorithm design, inter-vehicle communication protocols and environmental factors such as message packet loss rates. Empirical measurements from road testing of vehicle-to-vehicle communication in a platoon are modeled and used in our case study. We demonstrate that the minimum global time headway for our platoon model equipped with the CEBP function scales well with respect to platoon size.
Content may be subject to copyright.
Quantitative Safety Analysis of a Coordinated
Emergency Brake Protocol for Vehicle Platoons
(Preprint not for review)
Carl Bergenhem1, Karl Meinke2??, Fabian Str¨om2
1. Qamcom Research and Technology AB,
Falkenbergsg. 3, 41285 Gothenburg, Sweden,
2. School of Electrical Engineering and Computer Science,
KTH Royal Institute of Technology, 100 44 Stockholm, Sweden
Abstract. In this paper, we present a general methodology to estimate
safety related parameter values of cooperative cyber-physical system-of-
systems. As a case study, we consider a vehicle platoon model equipped
with a novel distributed protocol for coordinated emergency braking.
The estimation methodology is based on learning-based testing; which is
an approach to automated requirements testing that combines machine
learning with model checking.
Our methodology takes into account vehicle dynamics, control algorithm
design, inter-vehicle communication protocols and environmental factors
such as message packet loss rates. Empirical measurements from road
testing of vehicle-to-vehicle communication in a platoon are modeled
and used in our case study. We demonstrate that the minimum global
time headway for our platoon model equipped with the CEBP function
scales well with respect to platoon size.
Keywords: vehicle platoon, learning-based testing, Co-CPS, safety boundaries,
quantitative analysis, coordinated braking
1 Introduction
A vehicle platoon (or road train) is a collection of vehicles that coordinate and
collaborate to reach goals such as traveling to a certain destination, while also
improving e.g. safety, fuel economy and driver comfort. One challenge for pla-
toon design is coordination of a platoon-wide emergency brake by means of a
distributed protocol (CEBP). The overall goal is to avoid collisions within the
platoon while still performing braking as efficiently (i.e. with as high decelera-
tion) as possible. To justify the deployment of a CEBP solution it is necessary to
quantitatively analyse its behaviour, especially properties that impact on safety.
In this paper, we introduce a new methodology to estimate quantitative
parameters related to safety properties of cooperating cyber-physical systems
?? corresponding author
(Co-CPS). Our approach is based on the method of learning-based testing (LBT)
[23]. We illustrate this methodology by estimating safety related parameters of
a platoon model that includes a novel CEBP algorithm. This case study is in
many ways generic. It therefore supports the claim that our parameter estimation
methodology could be extended to a wider variety of cyber-physical system-of-
systems through the use of simulators and virtualised environment modeling.
This is one goal of the EU project Safe Cooperating Cyber-Physical Systems
using Wireless Communication (SafeCOP 1).
In a platoon, the lead vehicle can be manually driven and the followers (one or
more) follow the leader automatically; using control algorithms for longitudinal
and lateral motion. The target inter-vehicle headway is small enough (e.g. <1 s)
that dependable communication is required for the platoon to be safe. A platoon
capable vehicle has the technologies (e.g. communication) to lead or follow in a
platoon. Issues concerning positioning, e.g. accuracy and reliability of GPS and
security, are out of scope here.
A platooning system can be considered to be a cooperative cyber-physical
system-of-systems (Co-CPS). This is because vehicle-to-vehicle (V2V) communi-
cation is an enabler for the technology [33]. Failures in a platoon (e.g. poor V2V
communication) could potentially cause physical harm. Safety analysis for Co-
CPS introduces many technical challenges. Basic problems include the system
size, and the existence of black-box third-party components, which can make it
technically infeasible to perform a full static analysis (see e.g. the conclusions on
platooning of [17]).
For this reason, learning-based testing (LBT) [21] is an interesting contri-
bution to safety studies of Co-CPS. LBT combines promising aspects of both
testing, simulation and model based analysis. By inferring black-box abstractions
of a complex system, as well as using parallel simulation to accelerate learning,
we can can obtain approximate but accurate results with a good degree of scal-
LBT uses machine learning to reverse engineer multi-vehicle system-of-system
(SoS) models. These SoS models can then be subject to glass-box analysis tech-
niques, such as model checking, to check violation of safety requirements. Previ-
ously in [22], we have used LBT to analyse platooning systems from the perspec-
tive of qualitative safety properties, such as vehicle collisions. In this paper we
extend the scope of LBT to quantitative estimation of safety related parameters.
We show how to use LBT to numerically estimate an minimum value of an SoS
parameter such that a given system safety property is not violated. This will
typically be a parameter that can be tuned to optimise a specific product for
some desired performance. Thus it might be overtuned in a way that can com-
promise safety or is inappropriate for an environment in some (possibly rare)
A pertinent example of parameter estimation arises in our platooning case
study. Here inter-vehicle distance and time gaps are typically reduced to a min-
imum in order to save fuel. The question arises: what is the minimum value that
could be chosen for all inter-vehicle gaps such that no crashes occur due to ve-
hicles being too close? This minimum value is influenced by many factors, not
only in the vehicle design itself, but also by environmental factors such as V2V
communication packet loss.
Our approach to quantitative parameter estimation involves performing mul-
tiple LBT sessions to efficiently refine an estimate interval. This computationally
intensive analysis becomes more feasible when simulators, models and the ap-
propriate machine learning algorithms are executed on inexpensive multi-core
hardware, which is increasingly available. We define a specific method for pa-
rameter estimation using LBT. We then illustrate it by applying it to study
our distributed CEBP algorithm integrated in a platoon simulator. The CEBP
algorithm is an exemplar of the Co-CPS paradigm of decentralised distributed
control. An optimal design for a CEBP is influenced by many factors such as
pre-existing platoon control algorithms, underlying physical dynamics models,
inter-vehicle communication protocols and environmental features.
Although many safety hazards impacted by CEBP could be studied, in this
paper we focus on the safety hazard due to message packet loss arising from radio
interference. We estimate the minimum global time headway for different platoon
sizes under both perfect communication and stochastic packet loss. This is the
minimum time headway between all platoon vehicles that allows collision free
motion. By extending the learning time of LBT, we can improve the reliability
of this estimate to any given level.
The stochastic packet loss model we use is based on empirical data from
V2V communication measurement during physical road tests with a platoon.
This stochastic packet loss model, a communication protocol model and a CEBP
implementation are then integrated with the platoon simulator described in [22]
to model communication and vehicle dynamics performance. The main emphasis
of our work however is on the analysis methodology itself, and not the problem
of fully accurate platoon modeling. Since we use black-box learning methods,
only platoon behavior, and not architecture or code structure are inferred. Thus
our LBT approach can be transferred to more complex platoon models without
1.1 Related Work
A platooning system for trucks with focus on fuel efficiency is presented in [20].
A brief survey of other vehicle platooning systems is given in [3]. Cooperative
adaptive cruise control (CACC) is a similar technology to platooning, but has
its focus entirely on maintaining steady-state longitudinal control. Emergency
braking in a platoon is also studied in [13]. Here, a dedicated communication
protocol and a novel controller (including control topology), that takes into ac-
count packet losses, is investigated. Assumptions of bounded packet losses are
made to be able derive bounds of headway. In [32] different CACC strategies are
evaluated regarding headway using simulation. Several different parameters asso-
ciated with uncertainty are considered, including packet loss. An event-triggered
control scheme and communication strategy is developed for platooning in [8].
Examples of static analysis applied to platooning problems where the collision
free property is studied are [7,9]. In [17] it is shown that verifying vehicle code
does not scale well to the entire system-of-systems, and a mixed top-down and
bottom up verification strategy are applied.
Some (but not all) of the problems encountered in message packet loss in Sec-
tion 6 are related to compression waves within platoon simulations. Hence they
are somewhat related to the well-known phenomenon of string instability. The
effects of string stability and a networked control system have been studied in
[26]. Here an analytical approach of string stability is presented for a CACC ap-
plication; where each vehicle is controlled by its predecessor. Quantitative results
are given through an approach based on an analytical method. Communication
deficiencies are described in terms of a Maximum Allowable Transmission Inter-
val and Maximum Allowable Delay, rather than as a stochastic model of packet
loss. Safety is interpreted as string stability, rather than the crash condition of
zero distance between vehicles.
In [31] an analytical framework is presented which links the wireless channel
characteristics with the probability of crash in a two vehicle emergency-brake
scenario. The maximum tolerable delay, between the beginning of the emer-
gency braking by the preceding vehicle and the moment the following vehicle
starts braking, is found. The developed CPS analysis approach is applied to
demonstrate how V2V communication packet losses and communication delays
impacts safe inter-vehicular distance for specified kinematic parameters of vehi-
cles movements.
1.2 Organisation of the Paper
The rest of the paper is organised as follows. Section 2 presents measurement
of V2V communication in a platoon of trucks during road tests, providing the
basis of our communication model. Section 3 presents our novel CEBP algorithm.
Section 4 presents a methodology for quantitative safety analysis using learning-
based testing. Section 5 presents the platoon simulator used for safety analysis of
our CEBP algorithm. Section 6 presents the results of our quantitative analysis
of the minimum global time headway under conditions of packet loss. Finally,
conclusions and future work are given.
2 Road Testing
In this section we describe details and results of a measurement campaign2within
the Relcommh project [18] to establish packet loss levels in different platoon
driving scenarios. These measurements of V2V communication were done using
a platoon of four trucks, (c.f. Figure 1).
The motivation for this section is twofold. On the one hand, we wish to show
in Section 6 how the reliability of quantitative safety analysis results for SoS
2The measurements were done while the first author was employed at RISE The
Swedish Research Institute (previously SP Technical Research Institute of Sweden)
is influenced by the accuracy of environmental modeling. On the other hand,
there is a need in the literature to increase understanding of the environment
that a platoon is designed for. In the light of results of this section, we can point
out some unrealistic assumptions made in the literature. Our measured results
suggest that the low packet error rate used in [32] and assumption of no packet
loss in [8] are overly optimistic.
In our measurement campaign, at each periodic message broadcast (10 Hz)
from the leader truck, the perceived packet error rate (PER) at each of the
following vehicles was measured. In Table 1, the PER is presented for three
different scenarios. Messages were 500 bytes long and 5.9 GHz V2V devices
according to ETSI standards [10] were used. Each truck had a left and right
antenna from which it could send and receive. Therefore, two PERs are given:
communication left-to-left and right-to-right. Differences between the two PERs
can be motivated with differences in the immediate surrounding of either side
of the vehicle. For example, on the left side of the motorway there is a metal
safety barrier that separates the two traffic directions. This may impact PER.
A motorway scenario and Tunnel scenarios were measured at 80 km/h vehicle
speeds, with 20 m and 20-50 m inter-vehicle distance respectively. In the Parked
scenario, the platoon was parked in a platoon formation with a 10 m gap between
each truck. The PER between the LV and FV1 is denoted P ERbase. First-
order linear regression was used to calculate the projected average increase in
PER for each vehicle hop (right most column in the table). This model was
then incorporated into the platooning simulator. One result (11.14 %) could
be anomalous as it falls outside the expected trend of increasing PER as the
distance between communicating vehicles (LV to FVi) increases.
Table 1: Packet Error rates (Upper: left-left, Lower: right-right)
LV to FV1 LV to FV2 LV to FV3 Average in-
Motorway 3.67 %
2.72 %
18.03 %
5.93 %
40.91 %
22.13 %
18.62 %
9.70 %
6.39 %
6.82 %
5.85 %
6.74 %
11.16 %
11.47 %
2.39 %
2.32 %
Parked 0.57 %
2.39 %
5.89 %
14.05 %
22.13 %
11.14 %
10.78 %
4.37 %
In all measured scenarios there were instances of consecutive packet loss
(CPL). For the E4 motorway (left to left antenna) scenario the following was
found: CPL1=61.53 % (single lost packet), CPL2=36 % (two lost packets in a
row), CPL3=1.6 %, CPL4=0.8 %, CPL4..k = 0.87 %. The percentages indicate
the distribution of a certain CPL, when there is a packet loss. The largest CPL
(longest blackout, k) was eight packets in a row. This implies that the assumed
bounds on packet loss in [13] are somewhat optimistic (at most three and five
consecutive packets lost are investigated).
We note that the outcome of packet loss measurements depends on several
factors such as the radio equipment, antennas, placement and environment. Fur-
ther details of measurements in the road tests are found in [18].
Fig. 1: Communication scheme in the tests. LV denotes Lead Vehicle. FVidenotes
Following Vehicle i
3 A Coordinated Emergency Brake Protocol
In this section, a protocol for Coordinated Emergency Brake (CEBP) is pre-
sented. The goal of the protocol is to coordinate vehicles in an emergency brake
scenario to ensure safety (no crashes). An emergency brake can be initiated by
any vehicle in the platoon. Here it is assumed that the platoon of Nvehicles is
formed and no vehicles are joining or leaving. It must be ensured that the last
vehicle receives the brake command and actuates first. Braking can commence
at the last vehicle directly when it receives the ”E-brake request” message . The
braking vehicle then sends an acknowledgement (ACK) forward with an ”E-
brake ACK” message. Preceding vehicles can thus start to brake when the ACK
from succeeding vehicles arrives. E.g. FV2 cannot brake until ACK is received
from FV3 indicating that it has started to brake. This is illustrated in Figure 2.
Each vehicle also maintains a “brake-anyway”-time-out timer. When the timer
expires, the vehicle will brake directly and signal this, with an ”E-Brake di-
rectly” message, to the other vehicles. The value of the time-out corresponds to
the expected latency for a returning ACK. Message sending can be done with
event-triggered directed broadcast, i.e. there is a sender and an explicit receiver,
but the message may be overheard by other vehicles within the platoon. In this
case, a vehicle can prepare its brakes in anticipation of the ACK from succeeding
We assume that vehicles entering the platoon cannot be sorted according
to deceleration capability. Instead, other sorting goals may have priority; such
as destination or aerodynamic performance. Not having a sorting procedure at
vehicle join implies that a brake strategy, i.e. the description of how vehicles
will brake in the event of an emergency brake, must be found in another way. A
simple way is to limit braking of the platoon according to the vehicle with least
-8 m/s2FV1
-4 m/s2FV2
-6 m/s2FV3
-5 m/s2
Fig. 2: An E-brake command from the LV. The acknowledgement then propagates back
to the LV from back to front.
deceleration capability, as is done in [25]. Alternatively, an algorithm could find
cliques of vehicles in the platoon that will brake together with a lowest common
brake capability. In Figure 2 the actual deceleration capabilities are shown for an
example platoon, e.g. -8 m/s2for the lead vehicle. As vehicles join the platoon,
brake cliques will be formed, e.g. Clique 1 = (LV, FV1, -4 m/s2), Clique 2 =
(FV2, FV3, -5 m/s2). The agreed deceleration of cliques increases towards the
rear, implying that the last clique will brake the most. Note that this implies a
voluntary reduction of deceleration capability in some vehicles. An algorithm for
finding the brake strategy in the platoon is left for future work. CEBP assumes
that a brake strategy has been decided and all vehicle will brake equally. The
members and order of the platoon are known.
Our CEBP algorithm has been implemented and integrated into each vehicle
in the platooning simulator of [22]. It has been studied using our quantitative
safety analysis method described in Section 4 and the results are presented in
Section 5.
3.1 Pseudo code
Pseudo code for the CEBP is presented in Algorithm 1. Vehicles are indexed
by Viwhere i0 is the lead vehicle (first vehicle, also denoted LV) and i
1..N 1 are the following vehicles (also denoted FV, e.g. where FV1 implies i=
1). The last vehicle is VN1(also denoted e.g. FV3 for N= 4). The algorithm,
that is described in the pseudo-code, is executed in each vehicle in the platoon.
The index iis static in each vehicle, i.e. in each instance of the algorithm.
This implies that each vehicle knows its identity and hence its position in the
platoon. An E-brake command is assumed to come from an external system or
to be manually initiated.
Some comments regarding the code in Algorithm 1 are appropriate: On line
11, directly receiving an “E-brake request” implies that Viis the last vehicle.
This is because any vehicle that requests to E-brake will do so by sending to the
last vehicle. On line 25, an ACK is sent by a vehicle that did “brake directly”.
This is because there could be preceding vehicles that are waiting for the ACK. If
the ACK was not sent then the preceding vehicles can start to brake only after
Algorithm 1 CEBP - Loop in every vehicle
1: if Ego Vehicle Viwants to e-brake then
2: send “E-brake request” to the last vehicle in the platoon VN-1
3: end if
4: if ”E-Brake directly” is received by Ego Vehicle Vithen
5: send “E-brake request” to the last vehicle in the platoon VN-1
6: end if
7: if Ego Vehicle Vi(has sent “E-brake request” command) or (overheard “E-brake
request” or ”E-brake ACK” from Vj)then
8: prepare brake system
9: Start Timeri
10: end if
11: if “E-brake request” is received by Ego Vehicle Vifrom a preceding vehicle Vj,
where j ∈{0..i-1}then
12: Ego Vehicle Vi actuate e-brake strategy
13: send “E-brake ACK” to the next preceding vehicle Vi-1
14: end if
15: if “E-brake ACK” is received by Ego Vehicle Vifrom next succeeding vehicle Vi+1
16: Ego Vehicle Viactuate e-brake strategy
17: Stop Timeri
18: if i>0and has not already sent an “E-brake ACK” to preceding then
19: send “E-brake ACK” to the next preceding vehicle Vi-1
20: end if
21: end if
22: if Timerihas expired then
23: Ego Vehicle Viactuate e-brake strategy
24: send “E-Brake directly” to succeeding vehicles Vj, where j∈{i+1..N-1}
25: send “E-brake ACK” to the next preceding vehicle Vi-1
26: end if
27: if Timeriis started then
28: decrease Timeri
29: end if
their time-out counters expire. On line 24 and 25 the messages are repeated
e.g. until the algorithm is reset. On line 5 an alternative is possible. Instead of
EBR/ACK, a vehicle that receives “E-brake directly” could also do “E-brake
4 An LBT Methodology for Quantitative Safety Analysis
In this section, we review some fundamental principles of learning-based testing
(LBT). We then show how these methods can support a quantitative approach
to safety analysis
4.1 Learning-based Testing (LBT)
We begin by reviewing the fundamental principles of learning-based testing
(LBT) as these have been implemented in our research tool LBTest. The ear-
liest version of this tool (LBTest 1.x) has been described in [24]. The current
tool architecture of LBTest 3.x is presented in Figure 3. This is a concurrent
software architecture designed to support LBT on multi-core hardware. Such
hardware supports the parallel execution of machine learning queries in multi-
ple threads, where each thread executes a copy SUTiof the system under test
(SUT) (c.f. Figure 3). This approach reduces both the simulation time and the
learning time, as the learning algorithm itself can also be parallelized. Examples
of computation time improvements by such parallelisation have been shown in
[22]. By increasing the throughput of data, a larger data set becomes available
for machine learning. This increases the accuracy or convergence of the final
learned model and hence the reliability of quantitative parameter estimates. For
analysing complex Co-CPS behaviors, we believe that concurrency is essential.
Since the design of the architecture in Figure 3 has been discussed in [22], we
focus on the basic principles of LBT here.
LBTest uses active automaton learning aka. regular inference (see e.g. [14])
to generate queries about a black-box SUT. These queries are then executed on
the SUT as test cases, and the SUT behaviour is observed for each test case. In
an iterative and incremental process, the test cases and the SUT observations
are saved and used to build up a behavioral model of the SUT in polynomial
time [1]. This model is an automaton or state machine model.
For requirements testing, partial and incomplete models of the SUT can
already be subjected, in the early stages of testing, to model checking against a
temporal logic requirement specification. Thus, even before the learning process
is complete, errors can be found in the SUT. This fact is important for large
and complex SUTs such as Co-CPS, where it might not be possible to learn
a complete model in any reasonable timescale, even with the use of multi-core
technology. In LBTest, propositional linear temporal logic3(PLTL) is used as
3Recall that propositional LTL extends basic propositional logic with the temporal
modalities G(φ)(always φ), F(φ)(sometime φ) and X(φ)(next φ). Other derived
operators and past operators may also be included. See e.g. [12] for details.
Fig. 3: LBTest 3.x concurrent learning architecture
the requirements modeling language. This particular logic has the advantage
that test cases can easily be extracted from the model checker, and used to filter
out false negatives as we will show. LBTest makes use of a loosely integrated
symbolic checker NuSMV [6]. We are also developing a more tightly integrated
explicit state model checker for efficiency reasons. These two processes of learning
and model checking may be interleaved, an idea first suggested in [27]. Then
they incrementally build up a sequence M1, M2, ... of models of the SUT, while
generating and executing requirements test cases on each model Mi. However,
for large and complex Co-CPS this interleaved approach is too inefficient, and
model checking is then only performed on the final model. In Section 6 we have
used model checking on the final model only. Thus no bias to the model from
model checking and counterexample construction can exist.
To separate true negatives (genuine SUT errors) from false negatives (arti-
facts of an incompletely learned model) it is necessary to validate each counter-
example to a requirement generated by the model checker. For this we can: (i)
extract a test case representing the counter-example4, (ii) execute it on the SUT,
(iii) apply an equality test that compares the observed SUT behavior with the
predicted bad behavior from the model, and (iv) automatically generate the test
verdict (pass, fail) from step (iii).
The soundness of learning-based testing as an analysis method relies on the
soundness of the underlying model checker, and the soundness of equality testing.
4Infinite counter-examples to LTL liveness formulas are truncated around the loop,
and the weaker test verdict warning may be issued.
The completeness of LBT as an analysis method relies on the completeness of
the underlying model checker, as well as convergence results about the learning
algorithms which are used (see [14]). However, within practical case studies of
large complex systems it may not be possible for learning to be completed in
any reasonable time frame (see e.g. [11]). This problem is significant for Co-
CPS. Therefore, development of LBTest has focused on incremental learning
algorithms that can generate incomplete approximating models of the SUT in
small increments.
To measure the test coverage achieved by learning-based testing we currently
use a probably exactly correct (PEC) model of learning convergence as follows.
In Figure 3, a stochastic equivalence checker is shown. This checker empirically
estimates the behavioral accuracy of the final learned model Mf inal for replicat-
ing the behavior of the SUT on a randomly chosen set of input sequences. For
this, the input sequences are executed both on the SUT and the model. We then
measure the percentage of behaviorally identical output sequences generated by
both. This learning convergence model is more restrictive than the probably ap-
proximately correct (PAC) convergence model of [30]. There are two motivations
for this: (i) our automaton learning framework does not readily support notions
of approximate equivalence between data values, and (ii) for software safety anal-
ysis exact equality of data values (inputs or outputs) is often a pre-requisite to
infer failed test cases.
4.2 Quantitative Parameter Estimation
A qualitative safety analysis of platooning using LBT was given in [22]. Here
we extend this previous approach to quantitative parameter estimation. We are
interested to estimate the minimum values of numerical system parameters (such
as inter-vehicle distance and time headway) which lie on the boundary between
safe and unsafe system behavior.
More precisely, in quantitative parameter estimation, the problem is to esti-
mate the minimum value vmin of some continuous SUT parameter psuch that
an LTL safety property prop is not violated. The parameter pcould be an in-
put variable, or a system constant that must be set to an optimal value. Now p
may or may not explicitly appear in the formula prop but it should be able to
influence its truth value (see e.g. the formula Eq 1 in Section 6).
If we can assume that the safety property prop varies monotonically with p,
then this allows us to use a binary chop search to iteratively halve an estimate
interval vmin [vi
true, v i
false] for i= 0, ..., n. Here, vi
true is the current upper
bound where prop is true and vi
false is the current lower bound where prop is
false. The search begins from two initial endpoints [v0
true, v 0
false] that can be
obtained by conservatively over-estimating and under-estimating the value of
For a binary chop search, as usual we iterate the boundary search process by
refining one of the endpoints. Thus: (i) vi+1
true := vi
true +vi
false/2 if LBT cannot
find a counterexample to prop on the midpoint up to a given learning convergence
value. Otherwise: (ii) vi+1
false := vi
true +vi
false/2. Then we carry forward into the
next iteration the other endpoint vi+1
false := vi
false in case (i) and vi+1
true := vi
in case (ii) respectively. This process is iterated until a desired interval accuracy
true, v n
false] is achieved.
Refinement of the boundary vi
true is of course problematic here, since just
because a counterexample has not been found by LBT, this does not mean that
it does not exist. This is particularly true if the learned models are incomplete.
Therefore, we emphasize that our methodology is a parameter estimation tech-
nique based on systematic testing, and not a verification technique. As such, our
methodology provides an alternative to a traditional Monte-Carlo estimation of
vmin. However, we believe there are three significant advantages to our approach
compared with Monte-Carlo techniques, based on the use of machine learning.
(1) The explicit construction of a model using machine learning gives a more
powerful artifact than simply a set of execution traces (as used in Monte Carlo
estimation). This model allows us to analyze complex requirements properties,
including safety, fairness and liveness issues. These properties cannot be seman-
tically evaluated on traces alone, i.e. they are global properties of a model.
(2) Convergence estimates for the model give more insight into reliability of
the estimate for vmin than simply measuring the size and statistical significance
of a randomly chosen Monte Carlo sample set. This fact is easily demonstrated,
for if complete learning succeeds then a Monte Carlo approach is never aware
of this and will underestimate the statistical significance of the result. A related
aspect to this is the third advantage.
(3) The random query set associated with a Monte Carlo estimate contains
significant redundancy when compared with a query set generated by active
automaton learning. Said differently, random querying is a very inefficient way
to learn the structure of an automaton.
5 A Platooning Simulator
The simulator implements a model for each platoon vehicle behaviour as well as
a communication framework for inter-vehicle (V2V) communication modelled on
the IEEE 802.11p protocol. The platooning simulator is capable of simulating an
N-vehicle platoon travelling in one dimension along a roadway. It is an extension
of the simulator presented in [22]. No steering model (i.e. lateral movement) is
currently present in the simulator. This extension is part of ongoing research
into more general spatio-temporal logic requirements modeling for Co-CPS, see
e.g. [19].
5.1 The Vehicle Model
A key control algorithm in the platooning simulator is the longitudinal posi-
tion controller. For this, we have implemented several published ACC algorithms
which control the CACC component of each vehicle (see [29] for detailed descrip-
tions of each). The specific ACC evaluated in Section 6 is Kakade’s algorithm
[16], which was chosen for its simplicity and a basic tendency to propagate com-
pression waves. We were interested to know whether this effect, in combination
with message packet loss, could disturb emergency braking, and whether LBTest
could discover such a problem.
In the simulator there is a detailed model of vehicle braking. This includes
a complete industrial model of a brake-by-wire subsystem featuring: (i) global
brake torque distribution to individual wheels, (ii) ABS functionality based on
slippage detection, and (iii) a friction model for tyres based on slippage rate using
common physical parameter values. The simulator also includes e.g. odometry
and V2V communication. The most relevant missing models are engine, power-
train and suspension models. While these models could easily be added by using
an industrial simulator such as TruckMaker [15] (which is ongoing research) they
would not invalidate the basic methodology of this paper.
Environment models in the simulator deal with air resistance and road fric-
tion. We assume a constant road friction value for simplicity. A message packet
loss model, based on the data of Section 2 was used. To provide determinis-
tic and repeatable behavior (with the exception of packet loss), the simulator
is based on synchronous execution of all vehicle components. The fundamental
simulation cycle is one millisecond, which provides adequate simulation accuracy
for the control algorithms.
5.2 The Communication Model
The communication framework assumes wireless broadcast and point-to-point
multi-hop communication between the vehicles in the platoon. A slotted TDMA
scheme based on ideas from [5] is implemented: To avoid communication colli-
sions, each vehicle Viis allowed to transmit only in its own TDMA slot.
As communication is broadcast-based, receiving vehicles can loose packets
independently during a broadcast operation. Thus a packet can be received by
one vehicle and lost by another. For example a broadcast from the LV is correctly
received at FV1 and FV2, but not FV3, see Figure 1. In a platoon of Nvehicles,
for any sender Viand receiver Vj(where 0 i, j N1, i6=j) let d=|ij|
correspond to the distance between the sender and receiver. The probability Pin
percent of a message being lost is P(message lost) = P E Rbase+increase·(d1).
Note that with the values from the road test, the probability of message loss
(from the LV to the last vehicle) is 100% in a platoon of eight vehicles or more;
hence every message is lost (unless e.g. multi-hop communication is used).
6 A Case Study in Quantitative Safety Analysis
In this section, we present a case study of applying our quantitative parame-
ter estimation method. The aim was to estimate the minimum safe global time
headway for a platoon which has two modes of behavior: high speed cruising and
emergency braking.
The local time headway hwi(t) between two consecutive platoon vehicles Vi
and Vi+1 at time tis the time which would be needed for Vi+1 to cross the
gap which exists between Viand Vi+1 at time t5. This local dynamic parameter
measures the inter-vehicle gap in terms of time rather than distance. As a runtime
parameter to the CACC of Vi+1, its driver can set a desired value HW ifor
hwi(t), according to relevant safety and fuel economy criteria. Typical values
for H W iare in the range 1.5 to 2.0 seconds [4]. This desired value HW iis
then maintained by the CACC. Peturbations to hwi(t) through lead vehicle V0
actions, will lead to short term deviations of hwi(t) from H W i, which should be
smoothed out by its CACC.
We are particularly interested to estimate system-of-system parameters. For
this purpose, we assume that each platoon vehicle Viadopts the same common
global time headway H W , so that HW =H W i. Now we can ask: what is the
smallest value H Wmin we can choose for HW which ensures safe driving for
all vehicles Viunder all possible modes of behavior6? By safe driving, we can
assume as a minimum condition crash-free driving, but obviously this criterion
could be strengthened. The value HWmin we term the minimum safe global time
headway. An estimate of HWmin is easily obtained by LBT if communication
between vehicles is perfect, as the SUT is then completely deterministic.
When communication is imperfect then message packet loss is modeled stochas-
tically and the SUT is no longer deterministic. Although most model checkers
(including NuSMV) cope well with non-determinism, currently, LBTest uses ML
algorithms for deterministic automata only. To address this learning problem
we inferred a set of deterministic models which support analysis of the average
case behavior of the SUT. This seems pertinent, as the worst case SUT behavior
involves catastrophic loss of all message packets. An alternative for future re-
search would be to directly apply ML algorithms for non-deterministic or even
probabilistic automata. (See Section 7.)
The integration of two control algorithms for high-speed cruising and emer-
gency braking requires corresponding integration testing to ensure that no un-
wanted interactions can occur between these algorithms. In principle, high-speed
cruising can bring the entire platoon to a state where emergency braking can-
not be carried out safely. Such problems (if they occur) might be addressed
by choosing a larger global time headway, so that unsafe states were no longer
reachable. Thus one way to structure integration testing is to view it as an es-
timation problem for HWmin such that platooning is safe for both cruising and
emergency braking with high probability.
To conduct parameter estimation for HWmin, the following protocol was
implemented in LBTest. As in [22], we focused on emulating the lead driver
behavior, since all follower vehicles autonomously adapt to this. Each test case
5Assuming Vi+1 maintains its speed at time t.
6Clearly HWmin is a function of the many individual parameters of each vehicle Vi
such as its weight, braking power etc. Different values of HWmin will thus be ob-
tained if individual vehicle parameters are changed. For simplicity, we have assumed
ahomogeneous platoon, i.e. all vehicle parameters are the same.
tc for an N-vehicle platoon consisted of a sequence tc = (r1, r2, ..., rλ) of lead
driver accelerator, brake or emergency brake commands rj. Each such command
was one of: (i) a brake command (-1.88 m/s2), (ii) an accelerate command (1.25
m/s2), (iii) a neutral command (0 m/s2), or (iii) an emergency brake command
(-2.22 m/s2). The initial estimate of HWmin was bounded between 0.5 and 2.0
For each test case tc = (r1, r2, ..., rλ), the length λand torque requests rj
were chosen dynamically both by the learning algorithm and the equivalence
checker. For efficiency reasons, model checking was not used until after learn-
ing was concluded. Thus model checking counterexamples did not influence the
analysis. The test case length λtook an average value of 18.3. On average, ran-
dom test cases amounted to 2.3% of the entire test set. This compares with
100% in the case of Monte Carlo parameter estimation. Thus 97% of test cases
were generated deterministically by ML to explore the state space of the SUT.
The communication wrapper loaded and executed each test case tc. Each torque
request value rjwas maintained constantly for a nominal 5 seconds (5000 sim-
ulation cycles). Thus the length of the simulation corresponding to tc was 5λ
virtual seconds. The values chosen for λwere sufficient to reach high cruising
speeds, in excess of 120 km/h.
The principle SUT output recorded for the test case tc was the time sequence
of inter-vehicle gaps xi
r,0, . . . , xi
r,λ, for each pair of vehicles Vi,Vi+1. Here, the
time sequence term xi
r,t, for 0 tλ, represents the gap between the host-
target pair, Viand Vi+1 measured at the end7of 5tvirtual seconds (i.e. 5000t
simulation cycles). The continuous values of each distance observation xi
r,t were
partitioned within the communication wrapper into three discrete equivalence
based on host and velocity dependent distance boundaries.
To represent the physical system state of the platoon we also observed the
lead vehicle velocity values v1
0, . . . , v1
λand acceleration values a1
0, . . . , a1
λat the
same observation times. These continuous valued observations were partitioned
into 1 km/h and 1 km/h2equivalence classes.
During test sessions, each test case constructed by LBTest brought the entire
platoon into a high speed cruising mode (using a sequence of non-random or
random acceleration and braking commands). The test case would then issue the
emergency brake command efollowed by a sequence of neutral commands 08.
By alternating brake and acceleration commands, each test case could establish
different global dynamics in the platoon at the moment of emergency braking.
For example, by choosing to evaluate the simple PID algorithm for CACC of [16],
we were able to observe compression waves where some vehicles were decelerating
while others were accelerating. When the choice of global time headway HW fell
7It is also possible to use SUT observations between the output cycles by thresholding.
This can yield greater accuracy, but this approach was not taken here.
8These terminating neutral commands 0 were redundant by the design of CEBP, but
extended the test case until the platoon was stopped.
below the minimum safe global headway HWmin then at least one failed test case
could be observed. Since some of these failed test cases exhibited compression
waves, we concluded that compression is an important non-linear dynamic for
certain CACC designs. This observation concurs with the extensive literature
regarding string stability and ACC design, e.g. [28].
The safety requirement for collision free travel was expressed in LTL as
Gapi>0).(Eq 1)
This formula expresses that a platoon of size Nis safe, since Gapirepresents
the i-th inter-vehicle time headway between vehicles Viand Vi+1. Notice that
the time headway tis not explicitly represented in this formula. Nevertheless,
tclearly influences Requirement Eq 1 as too short a headway leads to crashes.
Furthermore, tmonotonically influences Eq 1, since every platoon trajectory
with a minimum time headway tis also a legitimate trajectory for a minimum
time headway of t0t. So parameter estimation using a bisection method is
valid for this problem.
2 3 4 5 6
Number of vehicles N
HWmin [seconds]
no packet loss
motorway packet loss
Fig. 4: Minimum safe global time headway HWmin for different platoon sizes N and
two packet loss rates.
The minimum safe global time headway HWmin was estimated for two dif-
ferent wireless communication scenarios. In the first, perfect data transmission
was assumed in order to derive a baseline time headway value. In the second,
the packet loss model (c.f. Section 5) with parameters derived from the mea-
surements of packet loss described in Section 2 was used. P ER base and average
increase per vehicle hop was chosen from the motorway scenario: 3.67 % and
18.6 % respectively. These values were the basis for a linear regression model to
calculate the probability of a packet being lost.
The minimum safe global time headway HWmin for these two scenarios was
estimated for platoon sizes N= 2, ..., 6 to study its variation with platoon size.
The results can be seen in Figure 4. Significant is the observation that in both
scenarios HWmin reaches a maximum value. This can be interpreted to mean
that both the CACC and CEBP algorithms are scalable to large platoon sizes.
7 Conclusions
In this paper we have addressed a challenge in the area of cooperative cyber-
physical systems (Co-CPS) which is to quantitatively estimate safety related
parameters for a system-of-systems. An inherent problem here is the signifi-
cant system complexity which calls for novel analysis techniques that can even
deal with the case where components may be ”black box”, i.e. their design and
construction are not always known. Thus a black-box approach to parameter
estimation based on learning-based testing (LBT) has been applied, and imple-
mented using the tool LBtest.
To illustrate and evaluate our approach we have presented a case study in the
area of vehicle platooning. This case study consisted of a platooning simulator
integrated with a CEBP - a distributed protocol for coordinated emergency brak-
ing. The minimum safe global time headway for this platooning simulator was
found for different platoon sizes, both with and without lossy communication.
Future research could expand this case study, for example by considering
the effects of time variant communication quality, and compare schemes, such
as multi-hop communication, to improve packet reception. This would increase
probability of reception, but latency will scale with the number of hops. We
could also study the behavior of non-homogeneous platoons.
Future research could also improve the efficiency and accuracy of the LBT
algorithms used here in the case of non-deterministic SUT behavior. For such be-
havior, it is possible to directly implement machine learning algorithms for non-
deterministic and probabilistic automata (see e.g. the survey [2]). This would
avoid the need to estimate parameter values using several experiments. Further-
more, by learning probabilistic automaton models it may even be possible to
estimate the statistical distribution of a parameter value by means of statistical
model checkers such as PRISM [34]. Finally, our LBT approach could be em-
pirically compared with Monte Carlo based approaches, regarding accuracy and
reliability of parameter estimates.
The research leading to these results has been performed in the SafeCOP project,
that received funding from the ECSEL Joint Undertaking under grant agreement
692529, and from Vinnova Swedish national funding. The work was partially
performed in the Next Generation Electrical Architecture (NGEA) step2 project,
funded by the Vinnova FFI-programme. We express special thanks for valuable
comments to Magnus Jonsson and Alexey Vinel of Halmstad University.
1. Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput.
75(2), 87–106 (Nov 1987)
2. Bennaceur, A., Meinke, K.: Machine learning for software analysis: Models, meth-
ods, and applications. In: Machine Learning for Dynamic Software Analysis: Poten-
tials and Limits. Lecture Notes in Computer Science, vol. 11026, pp. 3–49. Springer
3. Bergenhem, C., Shladover, S., Coelingh, E., Englund, C., Shladover, S., Tsugawa,
S.: Overview of platooning systems. In: Proc. 19th ITS World Congress, Vienna,
Austria (October 2012)
4. van den Bleek, R.: Design of a Hybrid Adaptive Cruise Control Stop-&-Go system.
Master’s thesis, Technische Universiteit Eindhoven, Department of Mechanical En-
gineering (2007)
5. Bohm, A., Jonsson, M., Kunert, K., Vinel, A.: Context-Aware Retransmis-
sion Scheme for Increased Reliability in Platooning Applications, pp. 30–42.
Springer International Publishing, Cham (2014),
978-3-319-06644- 8_4
6. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M.,
Sebastiani, R., Tacchella, A.: NuSMV 2: An OpenSource Tool for Symbolic Model
Checking, pp. 359–364. Springer (2002)
7. Colin, S., Lanoix, A., Kouchnarenko, O., Souquieres, J.: Using CSPIIb Compo-
nents: Application to a Platoon of Vehicles, pp. 103–118. Springer (2009)
8. Dolk, V.S., Ploeg, J., Heemels, M.: Event-triggered control for string-stable vehi-
cle platooning. IEEE Transactions on Intelligent Transportation Systems 18(12),
3486–3500 (Dec 2017)
9. El-Zaher, M., Contet, J., Gruer, P., Gechter, F., Koukam, A.: Compositional verifi-
cation for reactive multi-agent systems applied to platoon non collision verification.
Stud. Inform. Univ. 10(3), 119–141 (2012)
10. European Telecommunications Standards Institute: Intelligent Transport Systems
(ITS); Access layer specification for Intelligent Transport Systems operating in the
5 GHz frequency band. EN 302 663 V1.2.1, ETSI (July 2013)
11. Feng, L., Lundmark, S., Meinke, K., Niu, F., Sindhu, M.A., Wong, P.Y.H.: Case
Studies in Learning-Based Testing, pp. 164–179. Springer (2013)
12. Fisher, M.: An Introduction to Practical Formal Methods Using Temporal Logic.
Wiley Publishing (2011)
13. Giordano, G., Segata, M., Blanchini, F., Cigno, R.L.: A joint network/control
design for cooperative automatic driving. In: 2017 IEEE Vehicular Networking
Conference (VNC). pp. 167–174 (Nov 2017)
14. De la Higuera, C.: Grammatical inference: learning automata and grammars. Cam-
bridge University Press (2010)
15. IPG Automotive: Brochure about CarMaker, TruckMaker and MotorcycleMaker. (20018), [Online; ac-
cessed 11-June-2018]
16. Kakade, R.S.: Automatic Cruise Control System. Master’s thesis, Indian Institute
of Technology, Department of Systems and Control Engineering, Mumbai (2007)
17. Kamali, M., Dennis, L.A., McAree, O., Fisher, M., Veres, S.M.: Formal verification
of autonomous vehicle platooning. Science of Computer Programming 148, 88–106
18. Karlsson, K., Carlsson, J., Larsson, M., Bergenhem, C.: Evaluation of the v2v
channel and diversity potential for platooning trucks. In: Antennas and Propaga-
tion (EuCAP) Proceedings of the 10th European Conference, Davos, Switzerland,
11-15 April, 2016. (2016)
19. Khosrowjerdi, H., Meinke, K.: Learning-based testing for autonomous systems us-
ing spatial and temporal requirements. In: Proc. 1st International Workshop on
Machine Learning and Software Engineering in Symbiosis. IEEE (2018)
20. Liang, K.Y., M˚artensson, J., Johansson, K.H.: Heavy-duty vehicle platoon forma-
tion for fuel efficiency. IEEE Transactions on Intelligent Transportation Systems
17(4), 1051–1061 (April 2016)
21. Meinke, K., Sindhu, M.A.: Incremental learning-based testing for reactive systems.
In: Gogolla, M., Wolff, B. (eds.) Tests and Proofs: 5th International Conference,
TAP 2011, Proceedings. pp. 134–151. Springer (2011)
22. Meinke, K.: Learning-based testing of cyber-physical systems-of-systems: A pla-
tooning study. In: Computer Performance Engineering - 14th European Workshop,
EPEW 2017, Berlin, Germany, September 7-8, 2017, Proceedings. pp. 135–151
23. Meinke, K., Sindhu, M.A.: Incremental learning-based testing for reactive systems.
In: Tests and Proofs - 5th International Conference, TAP 2011, Zurich, Switzerland,
June 30 - July 1, 2011. Proceedings. pp. 134–151 (2011)
24. Meinke, K., Sindhu, M.A.: Lbtest: A learning-based testing tool for reactive sys-
tems. In: Proceedings of the 2013 IEEE Sixth International Conference on Software
Testing, Verification and Validation. pp. 447–454. ICST ’13, IEEE Computer So-
ciety (2013)
25. Murthy, D.K., Masrur, A.: Braking in close following platoons: The law of the
weakest. In: 2016 Euromicro Conference on Digital System Design (DSD). pp.
613–620 (Aug 2016)
26. Oncu, S., Van de Wouw, N., Heemels, M., Nijmeijer, H.: String stability of in-
terconnected vehicles under communication constraints. In: Decision and Control
(CDC), 2012 IEEE 51st Annual Conference on. pp. 2459–2464. IEEE (2012)
27. Peled, D.A., Vardi, M.Y., Yannakakis, M.: Black box checking. In: Formal Methods
for Protocol Engineering and Distributed Systems, FORTE XII / PSTV XIX’99,
IFIP TC6 WG6.1. pp. 225–240 (1999)
28. Swaroop, D., Hedrick, J.: String stability of interconnected sys- tems. IEEE Trans.
on Automatic Control 41, 349–357 (1996)
29. Trochez, D., Tsakalos, A.: Adaptive Cruise Control Implementation with Constant
Range and Constant Time-Gap Policies. Master’s thesis, KTH Royal Institute of
Technology, EECS School (2017)
30. Valiant, L.G.: A theory of the learnable. Commun. ACM 27(11), 1134–1142 (Nov
31. Vinel, A., Lyamin, N., Isachenkov, P.: Modeling of v2v communications for c-its
safety applications: a cps perspective. IEEE Communications Letters (2018)
32. van Willigen, W.H., Schut, M.C., Kester, L.J.H.M.: Evaluating adaptive cruise con-
trol strategies in worst-case scenarios. In: 2011 14th International IEEE Conference
on Intelligent Transportation Systems (ITSC). pp. 1910–1915 (Oct 2011)
33. Willke, T.L., Tientrakool, P., Maxemchuk, N.F.: A survey of inter-vehicle commu-
nication protocols and their applications. Commun. Surveys Tuts. 11(2), 3–20 (apr
34. Younes, H.L.S., Kwiatkowska, M.Z., Norman, G., Parker, D.: Numerical vs. statis-
tical probabilistic model checking. STTT 8(3), 216–228 (2006)
... The result indicates that PDR decreases downstream the platoon, almost 100% for the first three vehicles, but just 70% for veh7 when ψ = 130. The simulation results based on the communication models are in good agreement with our previous work [16] and similar studies [17], [18], and this is more realistic compared with the existing researches that assume a constant value or a Markov process. ...
Full-text available
Wireless communication plays a significant role in the control of connected and automated vehicles (CAVs). In particular, poor communication would cause worse vehicle performances, and may even cause safety issues. This paper aims to establish a communication model for vehicular environments and deeply analyze the impact of communication characteristics on CAVs control. Firstly, the three-parameter Burr distribution delay model and the Nakagami distribution packet delivery rate (PDR) model are proposed to describe vehicular wireless networks' characteristics. Then, the platooning control is selected for a case study, and a vehicle platoon control system incorporating the proposed communication model is established. Furthermore, a simulation platform is built based on SUMO and Python, and the impact of communication characteristics on the platoon's performance is studied. The simulation results show that the characteristics presented by the communication model are consistent with those in field tests, and the quantized relationships between communication model parameters and vehicle control performance are also provided.
... In recent studies ( [5], [6]), we have addressed the question whether LBT methods can be scaled up from unit testing of individual embedded control algorithms to testing cooperating cyber-physical systems-of-systems (CO-CPS) using models and simulators. This is perhaps the most challenging class of testing problems that could be tackled by LBT, because of high system complexity and high test latency. ...
Conference Paper
Full-text available
Cooperating cyber-physical systems-of-systems (CO-CPS) such as vehicle platoons, robot teams or drone swarms usually have strict safety requirements on both spatial and temporal behavior. Learning-based testing is a combination of machine learning and model checking that has been successfully used for black-box requirements testing of cyber-physical systems-of-systems. We present an overview of research in progress to apply learning-based testing to evaluate spatio-temporal requirements on autonomous systems-of-systems through modeling and simulation.
Zusammenfassung Kommunikationsbasierte Regler für Platooning sind oft für eine homogene Fahrzeugzusammensetzung in einer nominalen Fahrsituation ausgelegt. In realen Anwendungen werden Platoons jedoch aus unterschiedlichen Fahrzeugen bestehen und somit heterogen sein, was die Anforderungen an einen sicheren Betrieb erhöht. Darüber hinaus sind Regler, die für den nominalen Fahrzustand ausgelegt sind, nicht unbedingt in der Lage, externe Störungen zu bewältigen. In dieser Arbeit wird ein Konzept zum Wechsel der Kommunikationstopologie in Abhängigkeit von der aktuellen Fahrsituation in einem heterogenen Platoon vorgestellt. Angewandt wird das Konzept auf den kooperativen Nothalt. Für diese Situation wird gezeigt, wie eine geeignete Kommunikationstopologie gefunden werden kann und dass durch den Wechsel der Topologie Kollisionen innerhalb des Platoons vermieden werden können.
Conference Paper
Full-text available
Cooperating cyber-physical systems-of-systems (CO-CPS) such as vehicle platoons, robot teams or drone swarms usually have strict safety requirements on both spatial and temporal behavior. Learning-based testing is a combination of machine learning and model checking that has been successfully used for black-box requirements testing of cyber-physical systems-of-systems. We present an overview of research in progress to apply learning-based testing to evaluate spatio-temporal requirements on autonomous systems-of-systems through modeling and simulation.
Full-text available
Tight coupling between the performance of vehicleto-vehicle (V2V) communications and the performance of Cooperative Intelligent Transportation Systems (C-ITS) safety applications is addressed. A Cyber-Physical System (CPS) analytical framework is developed that links the characteristics of V2V communications (such as packet loss probability and packet transmission delay) with the physical mobility characteristics of the vehicular system (such as safe inter-vehicular distance). The study is applied to the Day 1 C-ITS application, Emergency Electronic Brake Lights (EEBL), enabled by ETSI ITS-G5 and IEEE 802.11p standards.
Full-text available
The coordination of multiple autonomous vehicles into convoys or platoons is expected on our highways in the near future. However, before such platoons can be deployed, the new autonomous behaviors of the vehicles in these platoons must be certified. An appropriate representation for vehicle platooning is as a multi-agent system in which each agent captures the "autonomous decisions" carried out by each vehicle. In order to ensure that these autonomous decision-making agents in vehicle platoons never violate safety requirements, we use formal verification. However, as the formal verification technique used to verify the agent code does not scale to the full system and as the global verification technique does not capture the essential verification of autonomous behavior, we use a combination of the two approaches. This mixed strategy allows us to verify safety requirements not only of a model of the system, but of the actual agent code used to program the autonomous vehicles.
Cooperative adaptive cruise control (CACC) is a promising technology that is proven to enable the formation of vehicle platoons with small inter-vehicle distances, while avoiding amplifications of disturbances along the vehicle string. As such, CACC systems can potentially improve road safety, traffic throughput and fuel consumption due to the reduction in aerodynamic drag. Dedicated short range communication (DSRC) is a key ingredient in CACC systems to overcome the limitations of onboard sensors. However, wireless communication also involves inevitable network-induced imperfections, such as a limited communication bandwidth and time-varying transmission delays. Moreover, excessive utilization of communication resources jeopardizes the reliability of the DSRC channel. The latter might restrict the minimum time gap that can be realized safely. As a consequence, to harvest all the benefits of CACC, it is important to limit the communication to only the information that is actually required to establish a (string-)stable platoon over the wireless network and to avoid unnecessary transmissions. For this reason, an event-triggered control scheme and communication strategy is developed that takes into account the aforementioned network-induced imperfections and that aims to reduce the utilization of communication resources, while maintaining the desired closed-loop performance properties. The resulting L₂ string-stable control strategy is experimentally validated by means of a platoon of three passenger vehicles.
Conference Paper
This paper gives results from Vehicle-to-Vehicle (V2V) communication field tests in a platoon consisting of four trucks. During these tests it was assumed that large vehicles such as trucks need multiple antennas to overcome shadowing and obstruction caused by the vehicle itself, trailers and other trucks in the platoon. Therefore, in the experiments the vehicles had one antenna in each side-view mirror, and each antenna was connected to an IEEE 802.11p radio transmitting at 5.9 GHz according to the ETSI ITS-G5 standard. The purpose of the tests was to estimate the V2V channel for trucks participating in a platoon and to investigate the potential of diversity for such cooperative application. Three communication schemes for diversity were evaluated: receive diversity, transmit diversity, and transmit in combination with receive diversity. Studies were performed for two different antenna configurations in three different environments (rural, highway and tunnel).
Conference Paper
Recent advances in cooperative driving hold the potential to significantly improve safety, comfort and efficiency on our roads. An application of particular interest is platooning of vehicles, where reduced inter-vehicle gaps lead to considerable reductions in fuel consumption. This, however, puts high requirements on timeliness and reliability of the underlying exchange of control data. Considering the difficult radio environment and potentially long distances between communicating platoon members, as well as the random channel access method used by the IEEE 802.11p standard for short-range inter-vehicle communication, those requirements are very difficult to meet. The relatively static topology of a platoon, however, enables us to preschedule communication within the platoon over a dedicated service channel. Furthermore, we are able to set aside parts of the available bandwidth for retransmission of packets in order to fulfil the reliability requirements stated by the platoon control application. In this paper, we describe the platooning framework along with the scheduling algorithm used to assign retransmission slots to control packets that are most likely to need them. This retransmission scheduling scheme offers a valuable tool for system designers when answering questions about the number of safely supported vehicles in a platoon, achievable reductions in inter-vehicle gaps and periodicity of control packets.
Heavy-duty vehicles driving close behind each other, also known as platooning, experience a reduced aerodynamic drag, which reduces the overall fuel consumption up to 20% for the trailing vehicle. However, due to each vehicle being assigned with different transport missions (with different origins, destinations, and delivery times), platoons should be formed, split, and merged along the highways, and vehicles have to drive solo sometimes. In this paper, we study how two or more scattered vehicles can cooperate to form platoons in a fuel-efficient manner. We show that when forming platoons on the fly on the same route and not considering rerouting, the road topography has a negligible effect on the coordination decision. With this, we then formulate an optimization problem when coordinating two vehicles to form a platoon. We propose a coordination algorithm to form platoons of several vehicles that coordinates neighboring vehicles pairwise. Through a simulation study with detailed vehicle models and real road topography, it is shown that our approach yields significant fuel savings.
The name "temporal logic" may sound complex and daunting; but while they describe potentially complex scenarios, temporal logics are often based on a few simple, and fundamental, concepts - highlighted in this book. An Introduction to Practical Formal Methods Using Temporal Logic provides an introduction to formal methods based on temporal logic, for developing and testing complex computational systems. These methods are supported by many well-developed tools, techniques and results that can be applied to a wide range of systems. Fisher begins with a full introduction to the subject, covering the basics of temporal logic and using a variety of examples, exercises and pointers to more advanced work to help clarify and illustrate the topics discussed. He goes on to describe how this logic can be used to specify a variety of computational systems, looking at issues of linking specifications, concurrency, communication and composition ability. He then analyses temporal specification techniques such as deductive verification, algorithmic verification, and direct execution to develop and verify computational systems. The final chapter on case studies analyses the potential problems that can occur in a range of engineering applications in the areas of robotics, railway signalling, hardware design, ubiquitous computing, intelligent agents, and information security, and explains how temporal logic can improve their accuracy and reliability. Models temporal notions and uses them to analyze computational systems. Provides a broad approach to temporal logic across many formal methods - including specification, verification and implementation. Introduces and explains freely available tools based on temporal logics and shows how these can be applied. Presents exercises and pointers to further study in each chapter, as well as an accompanying website providing links to additional systems based upon temporal logic as well as additional material related to the book.
The problem of inducing, learning or inferring grammars has been studied for decades, but only in recent years has grammatical inference emerged as an independent field with connections to many scientific disciplines, including bio-informatics, computational linguistics and pattern recognition. This book meets the need for a comprehensive and unified summary of the basic techniques and results, suitable for researchers working in these various areas. In Part I, the objects of use for grammatical inference are studied in detail: strings and their topology, automata and grammars, whether probabilistic or not. Part II carefully explores the main questions in the field: What does learning mean? How can we associate complexity theory with learning? In Part III the author describes a number of techniques and algorithms that allow us to learn from text, from an informant, or through interaction with the environment. These concern automata, grammars, rewriting systems, pattern languages or transducers.